I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

It's no surprise that the biggest challenge facing today's security managers is gaining management support for security. Even if you have an ironclad risk assessment to support the need for a particular technology, it's your presentation, persuasion and negotiation skills that sway corporate managers.

None of us got into information security to become salesmen. I'd rather be running scans, debugging code or analyzing logs, but necessity is the mother of invention. When I commiserate with my peers, we half-jokingly call our selling techniques social engineering--and maybe it is.

Like the word "hacking," the term predates the current negative connotation of a criminal duping someone into handing over network passwords or other confidential data. If "ethical hacker" is an acceptable title for IBM's pen-testers, maybe "ethical social engineer" is nothing to shy away from either.

Persuasion and influence are widely studied areas of the social sciences--researchers have spent years trying to quantify their effects. Here are a few weapons of influence to help you talk to the C-suite:

Reciprocation is hardwired in all of us. When given a gift, we're compelled to respond in kind. This response of perceived obligation is leveraged every day: When we get a door prize at a grand opening, or free cheese in the dairy section of the grocery store, we feel the need to buy something in return.

In your security negotiations, start the discussion with a concession or two about a key item that's important to the executive you're trying to influence: "I've found a way we can secure your new wireless handheld's traffic so you can check your e-mail during meetings." Then, mention the new gigabit Ethernet taps you need. Alternatively, try asking initially for a lot more than you expect--knowing you'll be refused--and then work down to what you're actually aiming for. This is called "rejection-then-retreat."

Commitment and consistency are easy to understand if you've ever been a sports fan. Once we've made the decision--especially one that we've committed to publicly--to support a team, we stick with that team no matter what. None of us wants to be a hypocrite, even if we're mistaken.

Once you've obtained an agreement on a security initiative during your negotiations, get your supporters and decision-makers to send out an e-mail about the initiative, be co-presenters at a meeting, or otherwise publicly endorse the effort. Once someone has publicly backed you, he or she will feel compelled to remain steadfast in that support.

Social proof is easy to find--just flip on your television and watch a primetime sitcom. No one likes canned laughter, but it's widely used because it works so well. We're social animals, and we're wired to respond to certain social cues.

Now, the public endorsement you got from a key decision-maker can help move the herd. Work hard to get as many supporters for key projects as you can, and find ways to make good security the socially acceptable practice in your organization. Make security something visible that everyone feels a part of.

If the end result is improved security posture, making this brand of positive social engineering part of your infosecurity toolkit is a necessity. Good luck, and remember that a little bit goes a long way. Persuasion skills will help you succeed, but make sure you use them to promote solid security. They're no substitute for a level head.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy